The MySQL client in both MySQL and MariaDB contains a buffer overflow when reading the server version information. This maybe exploited by connecting to a malicious/compromised db server or by a MITM and potentially allows execution of arbitrary code as the user running the client.
Created attachment 854008 [details] proposed fix This fix is really simple, just check buffer size properly.
Note that this issue affects mysql, the command-line tool / SQL shell, not the libmysqlclient library.
This issue is now public via: http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.64
This issue affects the version of mysql55-mysql as shipped with Red Hat Enterprise Linux 5. This issue affects the version of mysql as shipped with Red Hat Enterprise Linux 6.
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1059546]
Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1059545]
Acknowledgements: This issue was discovered by Garth Mollett of the Red Hat Security Response Team.
*** Bug 1063398 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0164 https://rhn.redhat.com/errata/RHSA-2014-0164.html
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0173 https://rhn.redhat.com/errata/RHSA-2014-0173.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0186 https://rhn.redhat.com/errata/RHSA-2014-0186.html
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0189 https://rhn.redhat.com/errata/RHSA-2014-0189.html
MySQL upstream commit: http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4601
This issue did not affect MySQL 5.0. While those versions have the relevant sprintf() call, there's difference in the length of the version string returned by the server_version_string() function. In versions before 5.1.34, buffer used to store server version string returned by server_version_string() was static with the length of 128. The buffer glob_buffer to which sprintf prints the connection info was allocated to size of 512, hence sprintf could not overflow it and long version string presented by server would be printed truncted. The server_version_string() function was changed in version 5.1.34 to avoid the problem with truncation of long version strings. The function was modified to dynamically allocate buffer for the version string, possibly to be longer than glob_buffer size of 512. Hence this security flaw was introduced. Upstream bug, upstream commit, and release notes related to the server_version_string() change in 5.1.34 that introduced this issue: http://bugs.mysql.com/bug.php?id=43153 http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/2728.10.6 http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-34.html
*** Bug 1088197 has been marked as a duplicate of this bug. ***